Application Security Models
I like to start system design (at the application level) with the security model that will be used to protect the system. Application security models have several attributes that need to be addressed at each layer of the application.
In an earlier blog post, I introduced the attributes of an application security model:
- Authentication
- Authorization
- Confidentiality
- Integrity
- Non-Repudiation
- Availability
- Auditability
- Identity Propagation
As I finish blog post on the remaining items, I will update this post with links.
We can briefly define each of these attributes as:
Authentication: The process of proving your identity to the system.
Authorization: The process of determining if the authenticated identity is allowed to access the requested server resource based upon a predefined authorization policy.
Confidentiality: Limiting access to the data to parties that should be allowed to see it in transit or at rest.
Integrity: Ensure that the message was not modified in transit between two actors.
Non-Repudiation: Assurance that the actor who sent the message cannot deny that it sent it.
Availability: Measure of the system performing as required.
Auditability: Ability of an Information Security Auditor to have sufficient information after the fact to reproduce an event of interest and confirm that appropriate security policies are in place regarding all aspects of the system (for application users and administrative users
Identity Propagation: A mechanism that, ideally, securely transmits an authenticated identity from one system actor to another (think SAML 2.0 Bearer Tokens or JWT tokens).
Image: Patterned / Bojan Bjelic